ambient does not work on minikube

[jmazzitelli]

Is this the right place to submit this?

• This is not a security vulnerability or a crashing bug
• This is not a question about how to use Istio

Bug Description

Follow this: https://istio.io/latest/docs/ops/ambient/getting-started/

I did not install Gateway APIs. I followed the "Istio APIs" instructions to install:

istioctl install --set profile=ambient --set components.ingressGateways[0].enabled=true --set components.ingressGateways[0].name=istio-ingressgateway --skip-confirmation

Cluster is minikube. I'm using a Istio 1.19-dev build (see "Version" field for details).

Things look installed properly:

$ kubectl get pods -n bookinfo 
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-7745b6fcf4-79m8s       1/1     Running   0          68s
productpage-v1-6f89b6c557-ccpth   1/1     Running   0          68s
ratings-v1-77bdbf89bb-ndv8b       1/1     Running   0          68s
reviews-v1-667b5cc65d-dzslp       1/1     Running   0          68s
reviews-v2-6f76498fc8-2mdfv       1/1     Running   0          68s
reviews-v3-5d8667cc66-j6m8x       1/1     Running   0          68s

$ kubectl get pods,ds -n istio-system
NAME                                       READY   STATUS    RESTARTS   AGE
pod/istio-cni-node-9nd56                   1/1     Running   0          9m55s
pod/istio-ingressgateway-7d67669df-9dgpg   1/1     Running   0          9m55s
pod/istiod-7c6f4d8478-26gc8                1/1     Running   0          10m
pod/ztunnel-tcpg8                          1/1     Running   0          10m

NAME                            DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
daemonset.apps/istio-cni-node   1         1         1       1            1           kubernetes.io/os=linux   9m55s
daemonset.apps/ztunnel          1         1         1       1            1           kubernetes.io/os=linux   10m

But there are errors in the CNI daemonset.. see cni-errors.log which is from kubectl logs -n istio-system daemonset/istio-cni-node > cni-errors.log

First error in the logs is:

2023-07-25T12:41:04.140628Z	warn	ambient	unable to list IPSet: failed to list ipset ztunnel-pods-ips: no such file or directory

with a bunch of

2023-07-25T12:41:16.745442Z	warn	ambient	Error running command iptables-legacy: iptables: No chain/target/match by that name.

and then

2023-07-25T12:41:16.773229Z	error	controllers	error handling istio-system/ztunnel-tcpg8, retrying (retry count: 1): failed to get veth device: no routes found for 10.244.0.10	controller=ambient

Version

$ istioctl version
client version: 1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
control plane version: 1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
data plane version: 1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a (2 proxies)

$ kubectl version --short
Flag --short has been deprecated, and will be removed in the future. The --short output will become the default.
Client Version: v1.26.1
Kustomize Version: v4.5.7
Server Version: v1.26.3

Minikube (relevant for this issue; this error doesn't happen with KinD):

$ minikube version
minikube version: v1.30.1
commit: 08896fd1dc362c097c925146c4a0d0dac715ace0

Operating System/Hardware:

$ uname -a
Linux jmazzite-thinkpadp1gen3.ttn.csb 6.3.12-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul  6 04:05:18 UTC 2023 x86_64 GNU/Linux

$ cat /etc/redhat-release 
Fedora release 38 (Thirty Eight)

### Additional Information

[bug-report.tar.gz](https://github.com/istio/istio/files/12161334/bug-report.tar.gz)


### Affected product area

- [X] Ambient
- [ ] Docs
- [ ] Installation
- [ ] Networking
- [ ] Performance and Scalability
- [ ] Extensions and Telemetry
- [ ] Security
- [ ] Test and Release
- [ ] User Experience
- [ ] Developer Infrastructure
- [ ] Upgrade
- [ ] Multi Cluster
- [ ] Virtual Machine
- [ ] Control Plane Revisions

[jmazzitelli]

Link to bug-report.tar.gz

[jmazzitelli]

I tried starting minikube with --cni=kindnet but still getting errors.

[jmazzitelli]

with kindnet CNI:

kubectl logs -n istio-system daemonsets/istio-cni-node > kindnet.log: kindnet.log

istioctl bug-report: bug-report.tar.gz

[bleggett]

The initial warns are from node cleanup, as the logs mention, they're not relevant and are only logged as WARN:

ambient Node-level network rule cleanup started
2023-07-25T11:49:32.823752Z info    ambient If rules do not exist in the first place, warnings will be triggered - these can be safely ignored
...(warn)
...(warn)
2023-07-25T11:49:32.899316Z info    ambient Node-level cleanup done

This is an actual error, however:

2023-07-25T11:49:32.899398Z error   controllers error handling istio-system/ztunnel-7vggw, retrying (retry count: 1): failed to get veth device: no routes found for 10.244.0.9 controller=ambient

CNI can't seem to find a valid route on the node for the ztunnel pod IP k8s gives it, and so the node initialization fails before it gets to creating the ipset.

This is effectively a catastrophic failure (tho it doesn't put the CNI agent into an unready state - it probably should, but that's a bit tricky given the CNI agent does double duty for sidecar and ambient).

Check istio-system - I bet your ztunnel pods are unhealthy. There should/must be a route to the ztunnel pod IP if the ztunnel pod is actually running in a correctly configured k8s cluster.

[jmazzitelli]

Check istio-system - I bet your ztunnel pods are unhealthy. There should/must be a route to the ztunnel pod IP if the ztunnel pod is actually running in a correctly configured k8s cluster.

ztunnel pod and DS both look OK (the resource yaml for both are further down below):

$ kubectl get pods -n istio-system -l app=ztunnel
NAME            READY   STATUS    RESTARTS   AGE
ztunnel-thlvf   1/1     Running   0          7m13s

$ kubectl get ds -n istio-system ztunnel 
NAME      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
ztunnel   1         1         1       1            1           kubernetes.io/os=linux   7m18s

Ztunnel pod logs:

$ kubectl logs -n istio-system -l app=ztunnel --tail=-1
2023-07-25T23:49:50.141644Z  INFO ztunnel: version: version.BuildInfo{Version:"33af17df795052ab725c35c98332d6aa3fc9535b", GitRevision:"33af17df795052ab725c35c98332d6aa3fc9535b", RustVersion:"1.71.0", BuildStatus:"Clean", GitTag:"1.19.0-alpha.1-26-g33af17d", IstioVersion:"unknown"}
2023-07-25T23:49:50.141714Z  INFO ztunnel: running with config: proxy: true
dns_proxy: false
window_size: 4194304
connection_window_size: 4194304
frame_size: 1048576
socks5_addr: 127.0.0.1:15080
admin_addr: 127.0.0.1:15000
stats_addr: '[::]:15020'
readiness_addr: '[::]:15021'
inbound_addr: '[::]:15008'
inbound_plaintext_addr: '[::]:15006'
outbound_addr: '[::]:15001'
dns_proxy_addr: '[::]:15053'
network: ''
local_node: minikube
proxy_mode: Shared
local_ip: 10.244.0.9
cluster_id: Kubernetes
cluster_domain: cluster.local
ca_address: https://istiod.istio-system.svc:15012
ca_root_cert: !File ./var/run/secrets/istio/root-cert.pem
xds_address: https://istiod.istio-system.svc:15012
xds_root_cert: !File ./var/run/secrets/istio/root-cert.pem
xds_on_demand: false
fake_ca: false
self_termination_deadline:
  secs: 5
  nanos: 0
proxy_metadata:
  ISTIO_VERSION: 1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
num_worker_threads: 2
enable_original_source: null
proxy_args: proxy ztunnel

2023-07-25T23:49:50.141919Z  INFO ztunnel::hyper_util: listener established address=[::]:15020 component="stats"
2023-07-25T23:49:50.141944Z  INFO ztunnel::hyper_util: listener established address=127.0.0.1:15000 component="admin"
2023-07-25T23:49:50.141965Z  INFO ztunnel::proxy::inbound: listener established address=[::]:15008 component="inbound" transparent=true
2023-07-25T23:49:50.141979Z  INFO ztunnel::proxy::inbound_passthrough: listener established address=[::]:15006 component="inbound plaintext" transparent=true
2023-07-25T23:49:50.141990Z  INFO ztunnel::proxy::outbound: listener established address=[::]:15001 component="outbound" transparent=true
2023-07-25T23:49:50.142005Z  INFO ztunnel::proxy::socks5: listener established address=127.0.0.1:15080 component="socks5"
2023-07-25T23:49:50.142009Z  INFO ztunnel::hyper_util: listener established address=[::]:15021 component="readiness"
2023-07-25T23:49:50.142017Z  INFO ztunnel::readiness: Task 'proxy' complete (1.602693ms), still awaiting 1 tasks
2023-07-25T23:49:50.145633Z  INFO ztunnel::xds::client: sending initial request resources=0 type_url="type.googleapis.com/istio.workload.Address"
2023-07-25T23:49:50.145655Z  INFO ztunnel::xds::client: sending initial request resources=0 type_url="type.googleapis.com/istio.security.Authorization"
2023-07-25T23:49:50.148625Z  INFO xds{id=1}: ztunnel::xds::client: Stream established
2023-07-25T23:49:50.148676Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=13
2023-07-25T23:49:50.148712Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/kube-system/registry-nr2cc
2023-07-25T23:49:50.148724Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/istiod-7c6f4d8478-jv5wj
2023-07-25T23:49:50.148730Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/kube-system/registry-proxy-dq9p5
2023-07-25T23:49:50.148734Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/kube-system/coredns-787d4945fb-zn7sc
2023-07-25T23:49:50.148740Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/ingress-nginx/ingress-nginx-controller-6cc5ccb977-9dpcj
2023-07-25T23:49:50.148765Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.security.Authorization" size=0
2023-07-25T23:49:50.148773Z  INFO ztunnel::readiness: Task 'state manager' complete (8.358733ms), marking server ready
2023-07-25T23:49:50.492388Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:49:50.492481Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/ztunnel-thlvf
2023-07-25T23:49:58.550705Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:49:58.550787Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/istio-egressgateway-78957ffb6-67rn2
2023-07-25T23:49:59.362577Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:49:59.362615Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/istio-egressgateway-78957ffb6-67rn2
2023-07-25T23:50:06.703472Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:06.703673Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/istio-ingressgateway-7d67669df-wsbth
2023-07-25T23:50:09.798993Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:10.021420Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:10.419592Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=3
2023-07-25T23:50:27.331479Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:27.331610Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/grafana-7bd5db55c4-dvff2
2023-07-25T23:50:32.441886Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:32.441926Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/jaeger-78756f7d48-qjq2f
2023-07-25T23:50:40.511249Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:40.511285Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/grafana-7bd5db55c4-dvff2
2023-07-25T23:50:47.657471Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:50:47.657547Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/istio-system/prometheus-67f6764db9-ngsmz
2023-07-25T23:51:37.878201Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=3
2023-07-25T23:51:38.019844Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:51:50.441269Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:51:50.441301Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/details-v1-7745b6fcf4-kn94s
2023-07-25T23:52:01.580019Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:52:01.580131Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/ratings-v1-77bdbf89bb-mcwn7
2023-07-25T23:52:48.221120Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=2
2023-07-25T23:52:48.221176Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/reviews-v1-667b5cc65d-9bd2m
2023-07-25T23:52:48.221208Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/reviews-v3-5d8667cc66-nxd9n
2023-07-25T23:52:49.204452Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:52:49.204485Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/reviews-v2-6f76498fc8-tf75h
2023-07-25T23:53:03.459096Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:53:03.459154Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/productpage-v1-6f89b6c557-6l4cw
2023-07-25T23:53:04.617903Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.workload.Address" size=1
2023-07-25T23:53:04.618114Z  INFO xds{id=1}: ztunnel::xds: handling delete Kubernetes//Pod/bookinfo/productpage-v1-6f89b6c557-6l4cw
2023-07-25T23:53:04.619739Z  INFO xds{id=1}: ztunnel::xds::client: received response type_url="type.googleapis.com/istio.security.Authorization" size=1
2023-07-25T23:53:04.619905Z  INFO xds{id=1}: ztunnel::xds: handling RBAC update productpage-viewer

Here's the tail of the istio-cni-node logs:

$ kubectl logs -n istio-system istio-cni-node-2j8xj --tail=5

2023-07-25T23:53:03.341290Z	info	ambient	Adding pod 'productpage-v1-6f89b6c557-6l4cw/bookinfo' (cfb8a61d-04b2-4e35-9006-2ef333ac2805) to ipset
2023-07-25T23:53:03.347177Z	info	ambient	Adding route for productpage-v1-6f89b6c557-6l4cw/bookinfo: [table 100 10.244.0.20/32 via 192.168.126.2 dev istioin src 10.244.0.1]
2023-07-25T23:53:03.349911Z	warn	ambient	Failed to add route ([table 100 10.244.0.20/32 via 192.168.126.2 dev istioin src 10.244.0.1]) for pod productpage-v1-6f89b6c557-6l4cw: Cannot find device "istioin"

ztunnel pod YAML:

$ kubectl get -n istio-system pods -l app=ztunnel -oyaml
apiVersion: v1
items:
- apiVersion: v1
  kind: Pod
  metadata:
    annotations:
      ambient.istio.io/redirection: disabled
      cni.projectcalico.org/allowedSourcePrefixes: '["0.0.0.0/0"]'
      prometheus.io/port: "15020"
      prometheus.io/scrape: "true"
      sidecar.istio.io/inject: "false"
    creationTimestamp: "2023-07-25T23:49:30Z"
    generateName: ztunnel-
    labels:
      app: ztunnel
      controller-revision-hash: 5577d475d5
      pod-template-generation: "1"
      sidecar.istio.io/inject: "false"
    name: ztunnel-thlvf
    namespace: istio-system
    ownerReferences:
    - apiVersion: apps/v1
      blockOwnerDeletion: true
      controller: true
      kind: DaemonSet
      name: ztunnel
      uid: a86eb416-288f-4252-8480-0dd95494156f
    resourceVersion: "846"
    uid: e6f0414c-d539-482e-8cdc-30634253a916
  spec:
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
          - matchFields:
            - key: metadata.name
              operator: In
              values:
              - minikube
    containers:
    - args:
      - proxy
      - ztunnel
      env:
      - name: CLUSTER_ID
        value: Kubernetes
      - name: POD_NAME
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.name
      - name: POD_NAMESPACE
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
      - name: NODE_NAME
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: spec.nodeName
      - name: INSTANCE_IP
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: status.podIP
      - name: SERVICE_ACCOUNT
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: spec.serviceAccountName
      image: gcr.io/istio-testing/ztunnel:1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
      imagePullPolicy: IfNotPresent
      name: istio-proxy
      ports:
      - containerPort: 15020
        name: ztunnel-stats
        protocol: TCP
      readinessProbe:
        failureThreshold: 3
        httpGet:
          path: /healthz/ready
          port: 15021
          scheme: HTTP
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
      resources:
        requests:
          cpu: 500m
          memory: 2Gi
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          add:
          - NET_ADMIN
          drop:
          - ALL
        privileged: false
        readOnlyRootFilesystem: true
        runAsGroup: 1337
        runAsNonRoot: false
        runAsUser: 0
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
      - mountPath: /var/run/secrets/istio
        name: istiod-ca-cert
      - mountPath: /var/run/secrets/tokens
        name: istio-token
      - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
        name: kube-api-access-mz2hf
        readOnly: true
    dnsPolicy: ClusterFirst
    enableServiceLinks: true
    nodeName: minikube
    nodeSelector:
      kubernetes.io/os: linux
    preemptionPolicy: PreemptLowerPriority
    priority: 0
    restartPolicy: Always
    schedulerName: default-scheduler
    securityContext: {}
    serviceAccount: ztunnel
    serviceAccountName: ztunnel
    terminationGracePeriodSeconds: 30
    tolerations:
    - effect: NoSchedule
      operator: Exists
    - key: CriticalAddonsOnly
      operator: Exists
    - effect: NoExecute
      operator: Exists
    - effect: NoExecute
      key: node.kubernetes.io/not-ready
      operator: Exists
    - effect: NoExecute
      key: node.kubernetes.io/unreachable
      operator: Exists
    - effect: NoSchedule
      key: node.kubernetes.io/disk-pressure
      operator: Exists
    - effect: NoSchedule
      key: node.kubernetes.io/memory-pressure
      operator: Exists
    - effect: NoSchedule
      key: node.kubernetes.io/pid-pressure
      operator: Exists
    - effect: NoSchedule
      key: node.kubernetes.io/unschedulable
      operator: Exists
    volumes:
    - name: istio-token
      projected:
        defaultMode: 420
        sources:
        - serviceAccountToken:
            audience: istio-ca
            expirationSeconds: 43200
            path: istio-token
    - configMap:
        defaultMode: 420
        name: istio-ca-root-cert
      name: istiod-ca-cert
    - name: kube-api-access-mz2hf
      projected:
        defaultMode: 420
        sources:
        - serviceAccountToken:
            expirationSeconds: 3607
            path: token
        - configMap:
            items:
            - key: ca.crt
              path: ca.crt
            name: kube-root-ca.crt
        - downwardAPI:
            items:
            - fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
              path: namespace
  status:
    conditions:
    - lastProbeTime: null
      lastTransitionTime: "2023-07-25T23:49:30Z"
      status: "True"
      type: Initialized
    - lastProbeTime: null
      lastTransitionTime: "2023-07-25T23:49:50Z"
      status: "True"
      type: Ready
    - lastProbeTime: null
      lastTransitionTime: "2023-07-25T23:49:50Z"
      status: "True"
      type: ContainersReady
    - lastProbeTime: null
      lastTransitionTime: "2023-07-25T23:49:30Z"
      status: "True"
      type: PodScheduled
    containerStatuses:
    - containerID: docker://8b0b42a525cb36b3dac407c454e229571548dc74331726f14e0d54b95269baeb
      image: gcr.io/istio-testing/ztunnel:1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
      imageID: docker-pullable://gcr.io/istio-testing/ztunnel@sha256:f27b080094d7ab3dbe388b4bae2f482e51841e2d0061c68370a52e8982fadf60
      lastState: {}
      name: istio-proxy
      ready: true
      restartCount: 0
      started: true
      state:
        running:
          startedAt: "2023-07-25T23:49:50Z"
    hostIP: 192.168.39.145
    phase: Running
    podIP: 10.244.0.9
    podIPs:
    - ip: 10.244.0.9
    qosClass: Burstable
    startTime: "2023-07-25T23:49:30Z"
kind: List
metadata:
  resourceVersion: ""

ztunnel DS yaml:

$ kubectl get -n istio-system ds/ztunnel -oyaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  annotations:
    deprecated.daemonset.template.generation: "1"
  creationTimestamp: "2023-07-25T23:49:30Z"
  generation: 1
  labels:
    install.operator.istio.io/owning-resource: installed-state
    install.operator.istio.io/owning-resource-namespace: istio-system
    istio.io/rev: default
    operator.istio.io/component: Ztunnel
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
  name: ztunnel
  namespace: istio-system
  resourceVersion: "847"
  uid: a86eb416-288f-4252-8480-0dd95494156f
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: ztunnel
  template:
    metadata:
      annotations:
        ambient.istio.io/redirection: disabled
        cni.projectcalico.org/allowedSourcePrefixes: '["0.0.0.0/0"]'
        prometheus.io/port: "15020"
        prometheus.io/scrape: "true"
        sidecar.istio.io/inject: "false"
      creationTimestamp: null
      labels:
        app: ztunnel
        sidecar.istio.io/inject: "false"
    spec:
      containers:
      - args:
        - proxy
        - ztunnel
        env:
        - name: CLUSTER_ID
          value: Kubernetes
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: INSTANCE_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: SERVICE_ACCOUNT
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.serviceAccountName
        image: gcr.io/istio-testing/ztunnel:1.19-alpha.c641d08aa437381c3678805e17c0479f247e714a
        imagePullPolicy: IfNotPresent
        name: istio-proxy
        ports:
        - containerPort: 15020
          name: ztunnel-stats
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz/ready
            port: 15021
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources:
          requests:
            cpu: 500m
            memory: 2Gi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_ADMIN
            drop:
            - ALL
          privileged: false
          readOnlyRootFilesystem: true
          runAsGroup: 1337
          runAsNonRoot: false
          runAsUser: 0
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/istio
          name: istiod-ca-cert
        - mountPath: /var/run/secrets/tokens
          name: istio-token
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/os: linux
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: ztunnel
      serviceAccountName: ztunnel
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        operator: Exists
      - key: CriticalAddonsOnly
        operator: Exists
      - effect: NoExecute
        operator: Exists
      volumes:
      - name: istio-token
        projected:
          defaultMode: 420
          sources:
          - serviceAccountToken:
              audience: istio-ca
              expirationSeconds: 43200
              path: istio-token
      - configMap:
          defaultMode: 420
          name: istio-ca-root-cert
        name: istiod-ca-cert
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
status:
  currentNumberScheduled: 1
  desiredNumberScheduled: 1
  numberAvailable: 1
  numberMisscheduled: 0
  numberReady: 1
  observedGeneration: 1
  updatedNumberScheduled: 1

and here's one of the problems - this pod in the bookinfo namespace isn't able to start:

$ kubectl describe pods -n bookinfo kiali-traffic-generator-s2psz
Name:             kiali-traffic-generator-s2psz
Namespace:        bookinfo
Priority:         0
Service Account:  default
Node:             minikube/192.168.39.145
Start Time:       Tue, 25 Jul 2023 19:53:04 -0400
Labels:           app=kiali-traffic-generator
                  kiali-test=traffic-generator
Annotations:      ambient.istio.io/redirection: enabled
Status:           Pending
IP:               
IPs:              <none>
Controlled By:    ReplicaSet/kiali-traffic-generator
Containers:
  kiali-traffic-generator:
    Container ID:   
    Image:          quay.io/kiali/kiali-test-mesh-traffic-generator:latest
    Image ID:       
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:
      DURATION:  <set to the key 'duration' of config map 'traffic-generator-config'>  Optional: false
      ROUTE:     <set to the key 'route' of config map 'traffic-generator-config'>     Optional: false
      RATE:      <set to the key 'rate' of config map 'traffic-generator-config'>      Optional: false
      SILENT:    <set to the key 'silent' of config map 'traffic-generator-config'>    Optional: false
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zdcxt (ro)
Conditions:
  Type              Status
  Initialized       True 
  Ready             False 
  ContainersReady   False 
  PodScheduled      True 
Volumes:
  kube-api-access-zdcxt:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age                      From               Message
  ----     ------                  ----                     ----               -------
  Normal   Scheduled               9m29s                    default-scheduler  Successfully assigned bookinfo/kiali-traffic-generator-s2psz to minikube
  Warning  FailedCreatePodSandBox  9m27s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "5c8494a3a55b1b7169a4a23b1a34a4fee61e721ef792a1188f8f28b0bf2dcd3d" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m25s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "ecc447031f4fed9fa848e85cba18443aaa5a098d77406fd5a0bf59c953b514c0" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m24s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "f84139395f8e8f12d53e8387878332cfccba185c142e5b71da0d5d3d15959649" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m23s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "0320e3b34b85af53fe4ca75872a44a66cfdf08c1bb322585fb81ca7502e8bac4" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m21s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "8a70d3a89b088c7745e221e83dfae95a4d29812617fd75be9c5283115f69bcc2" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m20s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "13cef4d8654788116ba3f49b2d6a6a2521f0f3e5b9437db5c5d48824467209f5" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m19s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "ce2cd9cf0e998d5e9712925ec14344e785495e677c4746492774af9aca5098ed" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m18s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "1d6169f1730d949e3d4e9f832253e6d1db8553606d8876811fe04310c70777e5" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m17s                    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "af483e0e4a3117b41f170b1a2c01d4e8856ec67cd0a7a2433709b6c23440e857" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Warning  FailedCreatePodSandBox  9m13s (x4 over 9m16s)    kubelet            (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to set up sandbox container "614b71ee3a2b79e66cf030e4615b526325fc837e9f4185182b85c5cbac3c4a6c" network for pod "kiali-traffic-generator-s2psz": networkPlugin cni failed to set up pod "kiali-traffic-generator-s2psz_bookinfo" network: plugin type="istio-cni" name="istio-cni" failed (add): Cannot find device "istioin"
  Normal   SandboxChanged          4m27s (x265 over 9m26s)  kubelet            Pod sandbox changed, it will be killed and re-created.

bug-report.tar.gz

[bleggett]

Aight so we have 2 different problems with 2 different CNIs:

---

1. Initial CNI you were using in your minikube:

Whatever CNI you were using by default in minikube isn't currently compatible with the Istio CNI for this reason:

no routes found for 10.244.0.9 controller=ambient

☝️ this is the cause of the problem with that CNI plugin. Regardless of the subsequent errors for other pods, the issue is that the Istio CNI DS cannot find a route from itself to the ztunnel IP thru the K8S network, as configured.

That code is here, and we're using the standard Go netlink library to do a route lookup.

There should be a route configured by the K8S cluster (not Istio) CNI from the CNI pod to the ztunnel pod, and there is not (from the perspective of the Istio CNI DS, anyway, which is what matters).

We need to understand why that is for that particular CNI plugin.

A good way to test this is to jump into the CNI pod and do an ip route get from the CNI DS pod to the ztunnel on the same node, e.g.

ip route get from <cni pod IP> <ztunnel pod IP>.

That's effectively what the netlink code above that is causing the failure is doing, so I would be interested to see if it also fails when you do it manually from within the CNI DS.

---

2. kindnet CNI in your minikube:

with kindnet CNI:

kubectl logs -n istio-system daemonsets/istio-cni-node > kindnet.log: kindnet.log

istioctl bug-report: bug-report.tar.gz

For your kindnet log, we are getting a slew of different errors, all of them related to a lack of permissions by the CNI DS:

2023-07-25T14:41:24.578273Z	info	ambient	Node-level cleanup done
2023-07-25T14:41:24.616612Z	error	ambient	failed to add inbound tunnel: operation not supported
2023-07-25T14:41:24.616671Z	error	ambient	failed to add inbound tunnel address: no such device
2023-07-25T14:41:24.617392Z	error	ambient	failed to add outbound tunnel: operation not supported
2023-07-25T14:41:24.617428Z	error	ambient	failed to add outbound tunnel address: no such device
2023-07-25T14:41:24.617458Z	error	ambient	failed to set inbound tunnel up: no such device
2023-07-25T14:41:24.617484Z	error	ambient	failed to set outbound tunnel up: no such device
2023-07-25T14:41:24.617505Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioout/rp_filter: open /proc/sys/net/ipv4/conf/istioout/rp_filter: no such file or directory
2023-07-25T14:41:24.617517Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioout/accept_local: open /proc/sys/net/ipv4/conf/istioout/accept_local: no such file or directory
2023-07-25T14:41:24.617526Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioin/rp_filter: open /proc/sys/net/ipv4/conf/istioin/rp_filter: no such file or directory
2023-07-25T14:41:24.617534Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioin/accept_local: open /proc/sys/net/ipv4/conf/istioin/accept_local: no such file or directory

At the very least, host node's /proc must be writable by the CNI DS for it to function. This indicates it's something to do with how minikube is configured, and a lack of required permissions between the CNI DS and the emulated K8S node.

What minikube driver are you using?

[jmazzitelli]

What minikube driver are you using?

I'm using kvm2 driver. You can use this script to start minikube to get what I get (well, assuming the actual minikube version is the same) - this is the same script I use: https://github.com/kiali/kiali/blob/master/hack/k8s-minikube.sh

I start it via: k8s-minikube.sh --cni kindnet start when doing these tests.

By default, that script will use the kvm2 driver.

Note the default cni used by that script is auto - so I don't know what it would pick by default with that. But the script's --cni kindnet will pass that to minikube.

[jmazzitelli]

A good way to test this is to jump into the CNI pod and do an ip route get from the CNI DS pod to the ztunnel on the same node, e.g.

ip route get from <cni pod IP> <ztunnel pod IP>.

That's effectively what the netlink code above that is causing the failure is doing, so I would be interested to see if it also fails when you do it manually from within the CNI DS.

Started minikube withOUT --cni kindnet (so default is auto - I actually don't know how to know what it actually ends up using). All I then did was install today's 1.19 dev build (istio-1.19-alpha.ca648f31ec02194e161d923a2c7da28e374d1922) via istioctl install --set profile=ambient --set components.ingressGateways[0].enabled=true --set components.ingressGateways[0].name=istio-ingressgateway --skip-confirmation

CNI pod IP:

$ kubectl get -n istio-system pod $(kubectl get pod -n istio-system -l k8s-app=istio-cni-node -o jsonpath='{.items..metadata.name}') -o jsonpath='{.status.podIP}'
192.168.39.212

Ztunnel pod IP:

$ kubectl get -n istio-system pod $(kubectl get pod -n istio-system -l app=ztunnel -o jsonpath='{.items..metadata.name}') -o jsonpath='{.status.podIP}'
10.244.0.9

From CNI DS:

$ kubectl exec -it -n istio-system $(kubectl get ds -n istio-system istio-cni-node -oname) -- ip route get from 192.168.39.212 10.244.0.9
10.244.0.9 from 192.168.39.212 dev bridge uid 0 
    cache 

From CNI pod:

$ kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l k8s-app=istio-cni-node -oname) -- ip route get from 192.168.39.212 10.244.0.9
10.244.0.9 from 192.168.39.212 dev bridge uid 0 
    cache 

istio-cni-node pod errors: kubectl logs -n istio-system -l k8s-app=istio-cni-node --tail=-1 > istio-cni-node-err.txt

This looks bad:

2023-07-27T21:05:49.599039Z	error	controllers	error handling istio-system/ztunnel-9txn6, retrying (retry count: 1): failed to get veth device: no routes found for 10.244.0.9	controller=ambient

There are other warnings in here, like:

2023-07-27T21:05:49.424658Z	warn	ambient	unable to list IPSet: failed to list ipset ztunnel-pods-ips: no such file or directory
...
2023-07-27T21:05:49.548674Z	warn	ambient	Error running command iptables-legacy: iptables: No chain/target/match by that name.
...
2023-07-27T21:05:49.569655Z	warn	ambient	Error running command iptables-legacy: iptables v1.8.7 (legacy): Couldn't load target `ztunnel-PREROUTING':No such file or directory
...
...and others...

[bleggett]

2023-07-27T21:05:49.599039Z error controllers error handling istio-system/ztunnel-9txn6, retrying (retry count: 1): failed to get veth device: no routes found for 10.244.0.9 controller=ambient

Correct, this is the error mentioned previously when the default CNI is used. There's no route to the ztunnel pod.

A good way to test this is to jump into the CNI pod and do an ip route get from the CNI DS pod to the ztunnel on the same node, e.g: ip route get from <cni pod IP> <ztunnel pod IP>.

☝️ Did you try this? Open a shell into the istio-cni pod on the node that's running ztunnel-9txn6. What does ip route give you for a route with a dest of istio-system/ztunnel-9txn6's IP? Please try it, and share the results. We need a route to a pod IP to do anything, and Istio doesn't set that up, the cluster CNI does. My suspicion is it will give you no route. If it tells you there's no route, that's a cluster CNI problem, not an Istio problem. If it tells you there is a route, then we might have a netlink problem.

By default, that script will use the kvm2 driver.

The kvm2 driver doesn't seem to be properly supporting running istio-cni as a privileged container then, as you can see from these errors:

2023-07-25T14:41:24.578273Z	info	ambient	Node-level cleanup done
2023-07-25T14:41:24.616612Z	error	ambient	failed to add inbound tunnel: operation not supported
2023-07-25T14:41:24.616671Z	error	ambient	failed to add inbound tunnel address: no such device
2023-07-25T14:41:24.617392Z	error	ambient	failed to add outbound tunnel: operation not supported
2023-07-25T14:41:24.617428Z	error	ambient	failed to add outbound tunnel address: no such device
2023-07-25T14:41:24.617458Z	error	ambient	failed to set inbound tunnel up: no such device
2023-07-25T14:41:24.617484Z	error	ambient	failed to set outbound tunnel up: no such device
2023-07-25T14:41:24.617505Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioout/rp_filter: open /proc/sys/net/ipv4/conf/istioout/rp_filter: no such file or directory
2023-07-25T14:41:24.617517Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioout/accept_local: open /proc/sys/net/ipv4/conf/istioout/accept_local: no such file or directory
2023-07-25T14:41:24.617526Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioin/rp_filter: open /proc/sys/net/ipv4/conf/istioin/rp_filter: no such file or directory
2023-07-25T14:41:24.617534Z	error	ambient	failed to write to proc file /proc/sys/net/ipv4/conf/istioin/accept_local: open /proc/sys/net/ipv4/conf/istioin/accept_local: no such file or directory

My recommendation would be to use the docker driver instead, I suspect that will work with kindnet. If you have a requirement to use kvm2 then the next step is to debug minikube+kvm2 to understand what the permissions problem is, and why privileged pods can't mount /proc with the kvm2 driver. https://minikube.sigs.k8s.io/docs/drivers/kvm2/#troubleshooting

[jmazzitelli]

Open a shell into the istio-cni pod on the node that's running ztunnel-9txn6. What does ip route give you for a route with a dest of istio-system/ztunnel-9txn6's IP? Please try it, and share the results.

Yes, I did that and reported the results in my previous comment. I provide the commands and output results for that. I'll repeat here. The first two commands get the IPs, the second two commands run that ip route (from the daemonset and pod, which I don't think matters, but for completeness I do both to show they return the same thing):

CNI pod IP:

$ kubectl get -n istio-system pod $(kubectl get pod -n istio-system -l k8s-app=istio-cni-node -o jsonpath='{.items..metadata.name}') -o jsonpath='{.status.podIP}'
192.168.39.212

Ztunnel pod IP:

$ kubectl get -n istio-system pod $(kubectl get pod -n istio-system -l app=ztunnel -o jsonpath='{.items..metadata.name}') -o jsonpath='{.status.podIP}'
10.244.0.9

From CNI DS (this is the ip route command):

$ kubectl exec -it -n istio-system $(kubectl get ds -n istio-system istio-cni-node -oname) -- ip route get from 192.168.39.212 10.244.0.9
10.244.0.9 from 192.168.39.212 dev bridge uid 0 
    cache 

From CNI pod (this is the ip route command):

$ kubectl exec -it -n istio-system $(kubectl get pod -n istio-system -l k8s-app=istio-cni-node -oname) -- ip route get from 192.168.39.212 10.244.0.9
10.244.0.9 from 192.168.39.212 dev bridge uid 0 
    cache 

[bleggett]

Open a shell into the istio-cni pod on the node that's running ztunnel-9txn6. What does ip route give you for a route with a dest of istio-system/ztunnel-9txn6's IP? Please try it, and share the results.

Yes, I did that and reported the results in my previous comment.

Ah my bad, I missed that. Apologies.

Okay so:

1. Ambient doesn't support CNIs that don't use veths at this time. That means you have to use kindnet (or another CNI that does) for minikube/etc. That's what the ip route get (and the CNI errors) are complaining about.

2. The permission errors you get when you do use kindnet are probably related to your minikube driver. You need a driver that supports K8S hostNetwork=true, and allows containers to have permissions to write to /proc from within the container. You can choose a minikube driver that allows you to mount the node's /proc into the CNI agent.

tl;dr we probably need to update the docs for ambient to mention the specific config required for minikube because ambient has different/more specific requirements at this time than vanilla Istio, and minikube's defaults are insufficient.

For now use the docker driver and kindnet explicitly, and it should work, e.g. the following works for me:

minikube version
-> minikube version: v1.31.1

minikube start --cni=kindnet --driver=docker

With that config (or kind) I am unable to reproduce your errors. Minikube seems to default to bridge mode if you don't specify kindnet.

The podman/kvm2/etc drivers should also work if set up with the correct options, but I haven't tried them and don't use them, and as demonstrated by your logs, for those drivers to work, they need to support hostNetwork and /proc permissions correctly, and if they do not, things will not work.

[jmazzitelli]

For now use the docker driver and kindnet explicitly, and it should work, e.g. the following works for me

OK. Thanks. I'll try that and see how it goes. For now, I have it all working with KinD so this isn't any kind of blocker for me personally. But I figured it is good to try to nail down what is required in order to get things to work on minikube, also.

[jmazzitelli]

With CNI of kindnet and driver of docker, things looks different now.

The only error message I see in the DS istio-cni-node:

$ kubectl logs -n istio-system daemonset/istio-cni-node | grep error
2023-08-08T12:44:44.643276Z	error	controllers	error handling istio-system/ztunnel-zgjfn, retrying (retry count: 1): failed to get ns name: failed to get namespace for 8	controller=ambient

Warnings in the logs:

$ kubectl logs -n istio-system istio-cni-node-psn22 --tail=-1 | grep warn
2023-08-08T12:44:40.031001Z	info	FLAG: --log-level="warn"
2023-08-08T12:44:40.037646Z	warn	ambient	unable to list IPSet: failed to list ipset ztunnel-pods-ips: no such file or directory
2023-08-08T12:44:44.553343Z	info	ambient	If rules do not exist in the first place, warnings will be triggered - these can be safely ignored
2023-08-08T12:44:44.566626Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.567359Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.568090Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.568815Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.569529Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.570224Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.570952Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.571648Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.572439Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-PREROUTING' does not exist
2023-08-08T12:44:44.573145Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.573918Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-POSTROUTING' does not exist
2023-08-08T12:44:44.574594Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.575324Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-PREROUTING' does not exist
2023-08-08T12:44:44.576014Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.576717Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-POSTROUTING' does not exist
2023-08-08T12:44:44.577414Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.578145Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-FORWARD' does not exist
2023-08-08T12:44:44.578823Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.579546Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-INPUT' does not exist
2023-08-08T12:44:44.580268Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.581025Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-OUTPUT' does not exist
2023-08-08T12:44:44.581705Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.582503Z	warn	ambient	Error running command iptables-nft: iptables v1.8.7 (nf_tables): Chain 'ztunnel-FORWARD' does not exist
2023-08-08T12:44:44.583175Z	warn	ambient	Error running command iptables-nft: iptables: No chain/target/match by that name.
2023-08-08T12:44:44.584415Z	warn	ambient	Error running command ip rule del priority 100: RTNETLINK answers: No such file or directory
2023-08-08T12:44:44.585234Z	warn	ambient	Error running command ip rule del priority 101: RTNETLINK answers: No such file or directory
2023-08-08T12:44:44.586078Z	warn	ambient	Error running command ip rule del priority 102: RTNETLINK answers: No such file or directory
2023-08-08T12:44:44.586944Z	warn	ambient	Error running command ip rule del priority 103: RTNETLINK answers: No such file or directory
2023-08-08T12:44:44.586985Z	warn	ambient	did not find existing inbound tunnel istioin to delete: Link not found
2023-08-08T12:44:44.587008Z	warn	ambient	did not find existing outbound tunnel istioout to delete: Link not found

However, I can't seem to get it to work.... trying to get the sleep pod to make a request to bookinfo:

$ kubectl exec -it -n bookinfo deployments/sleep -- curl http://productpage:9080
curl: (7) Failed to connect to productpage port 9080 after 2994 ms: Couldn't connect to server
command terminated with exit code 7

I see the same thing with my traffic generator:

$ kubectl exec -it -n bookinfo kiali-traffic-generator-7xkgr -- curl http://productpage.bookinfo:9080
curl: (7) Failed to connect to productpage.bookinfo port 9080: No route to host
command terminated with exit code 7

So something is still missing.

The one difference I can see is my version of minikube:

$ minikube version
minikube version: v1.30.1
commit: 08896fd1dc362c097c925146c4a0d0dac715ace0

Let me try this with the latest (1.31) and see if I get any better results.

[jmazzitelli]

meh.. still doesn't work with minikube 1.31

$ minikube version
minikube version: v1.31.1
commit: fd3f3801765d093a485d255043149f92ec0a695f

$ kubectl exec deploy/sleep -n default -- curl --head -s http://productpage:9080/
command terminated with exit code 7

That exec call worked up until I labeled the namespace with the ambient enabled label. I was seeing this when not ambient-enabled:

$ kubectl exec deploy/sleep -n default -- curl --head -s http://productpage:9080/
HTTP/1.1 200 OK
Server: Werkzeug/2.2.3 Python/3.7.7
Date: Tue, 08 Aug 2023 13:49:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1683
Connection: close

How do I know if the kindnet CNI was actually used? I pass it in, but I see nothing in the startup messages that mention kindnet (unlike docker driver where I see it clearly telling me it is using the docker driver). Is there some command I can use to confirm minikube is using kindnet CNI?

Here's my output of minikube startup (I see nothing that mentions kindnet -- only thing it says about CNI is "Configuring CNI (Container Networking Interface) ...")

😄  minikube v1.31.1 on Fedora 38
✨  Using the docker driver based on user configuration
📌  Using Docker driver with root privileges
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
💾  Downloading Kubernetes v1.27.3 preload ...
    > preloaded-images-k8s-v18-v1...:  393.19 MiB / 393.19 MiB  100.00% 6.30 Mi
    > gcr.io/k8s-minikube/kicbase...:  447.62 MiB / 447.62 MiB  100.00% 5.42 Mi
🔥  Creating docker container (CPUs=4, Memory=8192MB) ...
🐳  Preparing Kubernetes v1.27.3 on Docker 24.0.4 ...
    ▪ Generating certificates and keys ...
    ▪ Booting up control plane ...
    ▪ Configuring RBAC rules ...
🔗  Configuring CNI (Container Networking Interface) ...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🔎  Verifying Kubernetes components...
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
Enabling the ingress addon
💡  ingress is an addon maintained by Kubernetes. For any concerns contact minikube on GitHub.
You can view the list of minikube maintainers at: https://github.com/kubernetes/minikube/blob/master/OWNERS
    ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.8.1
    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407
    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407
🔎  Verifying ingress addon...
🌟  The 'ingress' addon is enabled
Enabling the image registry
💡  registry is an addon maintained by minikube. For any concerns contact minikube on GitHub.
You can view the list of minikube maintainers at: https://github.com/kubernetes/minikube/blob/master/OWNERS
    ▪ Using image docker.io/registry:2.8.1
    ▪ Using image gcr.io/k8s-minikube/kube-registry-proxy:0.0.5
🔎  Verifying registry addon...
🌟  The 'registry' addon is enabled

[bleggett]

Hey @jmazzitelli sorry for the delay on this.

Now that https://github.com/istio/istio/pull/47444 has merged, you should be able to take a nightly build and install istio with the flag --set values.cni.cniNetnsDir=/var/run/docker/netns into minikube running in Docker mode.

Tested with minikube start --cni=kindnet --driver=docker

[bleggett]

Also tested with minikube start --cni=kindnet --driver=qemu2

[jmazzitelli]

Now that #47444 has merged, you should be able to take a nightly build and install istio with the flag --set values.cni.cniNetnsDir=/var/run/docker/netns into minikube running in Docker mode.

@bleggett I think I'm missing something. I tried to set that cniNetnsDir and it failed:

$ istioctl manifest install --skip-confirmation=true --set profile=ambient --set values.cni.cniNetnsDir=/var/run/docker/netns
Run the command with the --force flag if you want to ignore the validation error and proceed.
Error: generate config: unknown field "cniNetnsDir" in v1alpha1.CNIConfig

This is the 1.20 dev build I have (just downloaded it this morning):

$ istioctl version
no ready Istio pods in "istio-system"
1.20-alpha.2343aa9200b1815a5712fd01a8c7ad84bdada32a

I also tried the 1.21 dev build and it also failed the same way.

Error: generate config: unknown field "cniNetnsDir" in v1alpha1.CNIConfig

$ istioctl version
no ready Istio pods in "istio-system"
1.21-alpha.8f16765a1baa02e651affd083e937bf57017d336

[bleggett]

@jmazzitelli ugh yeah my bad - if you use plain Helm it will work but I forgot extra steps are required to expose Helm flags via istioctl

Fixing that with #47499 then above should work.

[linsun]

This should have been taken care of when this issue is resolved.

Could you try it? Instruction is posted on our slack:
https://istio.slack.com/archives/C049TCZMPCP/p1702045603158969

[jmazzitelli]

cc @josunect ^^

[linsun]

Hi @jmazzitelli @johscheuer have you had chance to try it? Thx!

[jmazzitelli]

I have not. Is this available in a dev build that we can grab from https://storage.googleapis.com/istio-build ? That's how I test things.

[linsun]

Not yet, because the PRs (very large) for #48212 are still under reviews for the past 2 weeks. The testing from various env will increase our confidence about merging the PRs thus the ask. :).

[yefengzhichen]

@linsun I set the cni by "istioctl install --set values.cni.cniNetnsDir="/var/run/docker/netns" --set profile=ambient --set "components.ingressGateways[0].enabled=true" --set "components.ingressGateways[0].name=istio-ingressgateway" --skip-confirmation" in minikube env, but the istio-cni-node yaml not changed:

  containers:
  - args:
     # ...
    command:
    - install-cni
    image: docker.io/istio/install-cni:1.20.2
    volumeMounts:
    - mountPath: /var/run/netns
      mountPropagation: HostToContainer
      name: cni-netns-dir
  volumes:
  - hostPath:
      path: /var/run/netns
      type: Directory
    name: cni-netns-dir

[linsun]

Hi, this feature not merged yet, you'd have to use a temporary build from Yuval. #46163 (comment)

[linsun]

This should be resolved, please try latest master or release 1.21 build, or wait for the official 1.21 release. see #48212.

[josunect]

I was testing istio-1.21.0-beta.0 and the Istio installation was successful:

minikube start --cni=kindnet
--set hub=gcr.io/istio-release --set values.meshConfig.enableAutoMtls=true --set values.pilot.env.ENABLE_NATIVE_SIDECARS=false --set profile=ambient --set values.gateways.istio-egressgateway.enabled=true --set values.gateways.istio-ingressgateway.enabled=true --set values.meshConfig.defaultConfig.tracing.sampling=100.00 --set values.meshConfig.accessLogFile=/dev/stdout --set values.cni.cniNetnsDir=/var/run/docker/netns

But for some reason, I cannot see the Kiali graph, it doesn't look to be generating all the Telemetry:

I also tested istio-1.21.0-beta.0 with kind and no cniNetnsDir option, and the graph is generated correctly.

[linsun]

Sorry the code was just merged last Friday late (evening time for ET) - istio-1.21.0-beta.0 may not have the change, cc @istio/release-managers and @bleggett to chime in.

[linsun]

https://github.com/istio/istio/wiki/Dev%20Builds - latest dev build should have the change @josunect

[ericvn]

Sorry the code was just merged last Friday late (evening time for ET) - istio-1.21.0-beta.0 may not have the change, cc @istio/release-managers and @bleggett to chime in.

The change should be In the -beta.1 since it was merged after beta.0 was released. I expect that the new build will be available in a day or 2.

[josunect]

Thanks for the update

[harsh4870]

Microservice PODs failing Docker Desktop Beta-1 release

Warning FailedCreatePodSandBox 25m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "b0f41752d43c430f6f5ab3b637cb562c6bcdba71fe046beebcfefe6f88232322" network for pod "reviews-v2-b7dcd98fb-nhr26": networkPlugin cni failed to set up pod "reviews-v2-b7dcd98fb-nhr26_default" network: plugin type="loopback" failed (add): missing network name:, failed to clean up sandbox container "b0f41752d43c430f6f5ab3b637cb562c6bcdba71fe046beebcfefe6f88232322" network for pod "reviews-v2-b7dcd98fb-nhr26": networkPlugin cni failed to teardown pod "reviews-v2-b7dcd98fb-nhr26_default" network: plugin type="loopback" failed (delete): missing network name]

Installation of istio is successful

istioctl install --set profile=ambient --set "components.ingressGateways[0].enabled=true" --set "components.ingressGateways[0].name=istio-ingressgateway" --skip-confirmation

NAME                                    READY   STATUS    RESTARTS   AGE
istio-cni-node-dlr85                    1/1     Running   0          31m
istio-ingressgateway-689f9d6fb4-f8jpk   1/1     Running   0          31m
istiod-556d7d4cf5-5477v                 1/1     Running   0          31m
ztunnel-d4mrw                           1/1     Running   0          31m

[josunect]

Tested in minikube and it is working as expected.

[harsh4870]

It's failing in docker desktop ztunnel not starting with the same error above. Will try to look into it & debug.

[linsun]

Thanks @harsh4870 - pls keep us posted. Does istio sidecars work for your docker desktop env?

cc @bleggett FYI

[harsh4870]

Yes, sidecar setup is working like charm with Docker Desktop, in the Ambient profile ztunnel failing.

Tried fully resetting the K8s cluster on Docker Desktop but same error.

Sidecar tested with 1.22 while for Ambient using 1.21-beta-1

[bleggett]

@harsh4870 What error?

Can you please open a separate issue for Docker Desktop to avoid confusing this issue, since this issue was originally raised for minikube?

[harsh4870]

@bleggett Sure, Thanks here i have created issue - #49208

[josunect]

I think there is some kind of issue in minikube with sidecars namespaces in Istio-1.21.beta.1.

I was going to do some testing for this issue in minikube, creating a istio-injection=enabled labeled namespace and other with ambient label. The pods with sidecars where unable to start.

I was able to reproduce it installing Istio with Ambient profile and bookinfo, this is how the pods look:

Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  12m                   default-scheduler  Successfully assigned bookinfo/details-v1-698d88b-kdrxw to minikube
  Normal   Pulled     10m (x5 over 12m)     kubelet            Container image "gcr.io/istio-release/proxyv2:1.21.0-beta.1" already present on machine
  Normal   Created    10m (x5 over 12m)     kubelet            Created container istio-validation
  Normal   Started    10m (x5 over 12m)     kubelet            Started container istio-validation
  Warning  BackOff    2m33s (x44 over 12m)  kubelet            Back-off restarting failed container istio-validation in pod details-v1-698d88b-kdrxw_bookinfo(fefd8a19-8d16-44a7-a534-b2d317e4d528)

[bleggett]

@josunect If it only shows up when you have a mixed sidecar-and-ambient setup, I would bet that's fixed by #49230 which should be in the most recent dev build.

[josunect]

Thank you @bleggett, I'll try on a newer build.

[josunect]

@josunect If it only shows up when you have a mixed sidecar-and-ambient setup, I would bet that's fixed by #49230 which should be in the most recent dev build.

It looks that is working on Istio-1.21.0-rc0. Thank you!